I agree, I don't think we want to take things like that if we don't need to. We might not want to leak the JJWT interfaces in our APIs, but I would much rather leverage an existing lib whenever possible
On Thu, Mar 7, 2019 at 12:39 PM Les Hazlewood <[email protected]> wrote: > Hi François! > > I see it a little differently. Shiro 'sits' a little higher than some > of the lower-level utilities like working with JWTs. IMO, it should > leverage these lower-level tools than re-invent the wheel. So using > JJWT for JWTs or using Jackson for JSON, etc. > > When I wrote JJWT, I had no idea how many things I would have to take > into account for the JWT set of specifications. It is a *lot* of work > and so many different things need to be taken into account depending > on the JWT is unsigned, signed, or encrypted. IMO, this is a whole > set of low-level responsibilities outside the realm of Application > Security, which is Shiro's bread-and-butter. > > I think it would make a lot more sense for Shiro to _use_ JJWT to > accomplish things - i.e. session cookies, identity protocol support > (OpenID Connect, etc). And of course, wrap these calls behind a nice > API/Interface so as to not tightly couple Shiro's codebase to JJWT. > > FWIW, JJWT also has 'plugin' capabilities where signature and > encryption algorithms can be delegated to another provider, and maybe > Shiro could be that provider. That said, I don't think that's > necessary because JJWT's algorithm support is already broader in > support that what Shiro currently has because the JWE specifications > require various things (like EllipticCurve etc). > > Thoughts? Does this make sense? > > Cheers, > > Les > > On Thu, Mar 7, 2019 at 12:17 PM Francois Papon > <[email protected]> wrote: > > > > Hi Les, > > > > I take a look on JJWT and it's realy great ;) > > > > But as Shiro is a security framework and already have a cryptography > > module, I was hoping that we could have our own implementation. > > > > regards, > > > > François Papon > > [email protected] > > > > Le 07/03/2019 à 01:37, Les Hazlewood a écrit : > > > What about jjwt - would that work? > > > > > > On Wed, Mar 6, 2019 at 3:15 PM Brian Demers <[email protected]> > wrote: > > >> What use cases are you thinking about targeting ? > > >> > > >> > > >> On Wed, Mar 6, 2019 at 1:33 PM Francois Papon < > [email protected]> > > >> wrote: > > >> > > >>> Hi guys, > > >>> > > >>> I would like to start a thread about JWT. > > >>> > > >>> We already have a shiro-jaxrs module and I think it would be nice for > > >>> Shiro to be able to use JWT. > > >>> > > >>> There is some existing implementations (Apache CXF JOSE, Apache > Geronimo > > >>> microprofile...) and for me it make sence to have an implementation > of > > >>> JWT in Shiro. > > >>> > > >>> Thoughts? > > >>> > > >>> regards, > > >>> > > >>> -- > > >>> François Papon > > >>> [email protected] > > >>> > > >>> > > >>> >
